Overview
We've listed CIS rules for your Amazon Web Services (AWS) Cloud Provider.
RULE NAME |
RESOURCE TYPE |
DESCRIPTION |
CLOUDTRAIL S3 BUCKET IS NOT PUBLIC |
CloudTrail |
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
CLOUDTRAIL IS ENABLED IN ALL REGIONS |
CloudTrail |
Ensure at least one multi-regional CloudTrail with capturing Management Events with ReadWrite type All |
CHECK FILTER AND ALARM EXISTS FOR UNAUTHORIZED API CALLS |
CloudTrail |
Ensure a log metric filter and alarm exist for unauthorized API calls |
CHECK FILTER AND ALARM EXIST FOR NON MFA MGMT ACCESS |
CloudTrail |
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
CHECK FILTER AND ALARM EXIST FOR USAGE OF ROOT ACCOUNT |
CloudTrail |
Ensure a log metric filter and alarm exist for usage of root account |
CHECK FILTER AND ALARM EXIST FOR IAM POLICY CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for IAM policy changes |
CHECK FILTER AND ALARM EXIST FOR CLOUDTRAIL CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
CHECK FILTER AND ALARM EXIST FOR MGMT CONSOLE AUTH FAILURES |
CloudTrail |
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
CHECK FILTER AND ALARM EXIST FOR DISABLING OR DELETING CMK |
CloudTrail |
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
CHECK FILTER AND ALARM EXIST FOR S3 BUCKET POLICY CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for S3 Bucket policy changes |
CHECK FILTER AND ALARM EXIST FOR CONFIG CONFIGURATION CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for AWS config configuration changes |
CHECK FILTER AND ALARM EXIST FOR SECURITY GROUP CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for Security Group changes |
CHECK FILTER AND ALARM EXIST FOR NACL CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
CHECK FILTER AND ALARM EXIST FOR NETWORK GATEWAY CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for changes to Network Gateways |
CHECK FILTER AND ALARM EXIST FOR ROUTE TABLE CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for Route Table changes |
CHECK FILTER AND ALARM EXIST FOR VPC CHANGES |
CloudTrail |
Ensure a log metric filter and alarm exist for VPC changes |
CLOUDTRAIL S3BUCKET ACCESS LOGGING ENABLED |
CloudTrail |
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
CLOUDTRAIL ENCRYPTED WITH KMS CMK |
CloudTrail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
CLOUDTRAIL INTEGRATED WITH CLOUDWATCH |
CloudTrail |
Ensure CloudTrail are integrated with CloudWatch logs |
CLOUDTRAIL LOGFILE VALIDATION ENABLED |
CloudTrail |
Ensure CloudTrail log file validation is enabled |
CHECK CONFIG ENABLED FOR ALL REGIONS |
Config |
Ensure AWS Config is enabled for all regions |
CHECK SECURITY GROUP RDP OPEN TO PUBLIC |
EC2 |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
CHECK SECURITY GROUP SSH OPEN TO PUBLIC |
EC2 |
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 |
CHECK MFA ENABLED FOR ROOT ACCOUNT |
IAM |
Ensure MFA is enabled for root account |
IAM KEYS OLDER THAN 90 DAYS |
IAM |
Ensure access keys are rotated every 90 days or less |
CHECK HARDWARE MFA ENABLED FOR ROOT ACCOUNT |
IAM |
Ensure Hardware MFA is enabled for root account |
CHECK NO IAM POLICY WITH FULL ADMIN PRIVILEGES |
IAM |
Ensure IAM policies that allow full *.* administrative privileges are not created |
CHECK PWD POLICY PASSWORD EXPIRES IN 90 DAYS |
IAM |
Ensure IAM password policy expires passwords withing 90 days or less |
CHECK CREDENTIAL UNUSED FOR 90 DAYS |
IAM |
Ensure no credentials are unused for 90 days are |
CHECK PWD POLICY MIN 14 CHARACTERS |
IAM |
Ensure IAM password policy requires minimum length of 14 or greater |
CHECK PWD POLICY PREVENTS PASSWORD REUSE |
IAM |
Ensure IAM password policy prevents last 24 password reuse |
CHECK PWD POLICY MIN ONE NUMBER |
IAM |
Ensure IAM password policy requires at least one number |
CHECK PWD POLICY MIN ONE SYMBOL |
IAM |
Ensure IAM password policy requires at least one symbol |
CHECK IAM POLICIES ATTACHED ONLY TO GROUP OR ROLES |
IAM |
Ensure IAM policies are attached only to groups or roles |
CHECK SUPPORT ROLE EXISTS |
IAM |
Ensure a support role has been created to manage incidents with AWS support |
CHECK PWD POLICY MIN ONE LOWERCASE LETTER |
IAM |
Ensure IAM password policy requires at least one lowercase letter |
CHECK PWD POLICY MIN ONE UPPERCASE LETTER |
IAM |
Ensure IAM password policy requires at least one uppercase letter |
CHECK KEY ROTATION ENABLED FOR CMK |
Keys |
Ensure rotation for customer created CMKs is enabled |
Comments
0 comments
Please sign in to leave a comment.